A group of university researchers have analyzed the business of unsolicited email, or spam, and discovered new ways of attacking the market for spam that could make the activity much less profitable.
For more than a decade, consumers and businesses online have held the line against spam by simply filtering out messages. But the strategy, at best, holds the spammers at bay while being a significant inconvenience for most Internet users. In a paper presented at the IEEE Symposium on Security & Privacy this week, a group of 15 university researchers analyzed the business ecosystem that allows spam to exist and be profitable. Their findings: The most promising weak point in the model is the financial institutions that clear the transactions for product advertised by spam.
"It is incredibly tempting to look at the problem in terms of let's just put in a technical fix to block the mail," says Stefan Savage, one of the paper's authors and a professor in the Department of Computer Science and Engineering at the University of California, San Diego. "But that is really just a symptom of this much larger enterprise that is causing all this spam to get here. And without looking at the enterprise, and why it's happening and what are the elements are, it is pretty hard to invest in the right thing."
In many ways, the spam business is like the drug trade, Savage says. Better fences at the border do not solve the problem of drugs, because the demand in the U.S. for the product is so high. Similarly, as long as people keep buying the products advertised by spam, the spammers will find ways to get the message out, he says.
"There is money to be made, so if you plug one hole, there is a huge incentive to find another way to get that advertising to you," Savage says.
The researchers collected data about the business relationships that are necessary for a successful spam campaign. The broke the model into three major components: The advertising focused on reaching consumers, the click support infrastructure that routes interested consumers to the advertiser's Web site, and the realization of profit when the consumer pays for the advertised product. The researchers collected data on each spam campaign from their database of nearly 1 billion URLs sent through spam and 18 million distinct domains, and attempted to attribute each campaign to a businesses and affiliates that are part of the spam ecosystem. In some cases, they posed as buyers to gather data on the sellers; in others, they found improperly secured affiliate sites that they could log into and gather data.
In total, the researchers classified about 365 million URLs as belonging to 45 different affiliate programs. The researchers then bought some product through specific spammed URLs to identify the banks clearing the transactions.
"There was a huge amount of investigatory work," Savage says.
While some spam networks -- such as the Waledac botnet -- have been brought down by seizing the domains used by the command-and-control servers managing the infrastructure, the strategy ultimately does not work because there are so many domain registrars and the cost of moving to a new site is low. Instead, the researchers found that the best strategy is to focus on the banks that clear the transactions for spam-advertised products. In the paper, they found that only 14 banks -- such as Azerigazbank in Azerbaijan, B&N in Russia and Wirecard AG in Germany -- clear the transactions for all the purchases made.
"On the payment processing side, there are really only a handful of banks that we ever see," Savage says. "And 95 percent of the spam volume for the products that we looked at get monetized through those few banks."
Because the cost of switching banks is high, and there are not a lot of banks that accept high-risk transactions typically associated with spam, getting the banks to drop the spammers could make the activity far less profitable, he says. Like the U.S. moratorium on online gambling transactions, requiring that clearing houses not allow certain types of transactions to suspect banks could significantly hinder spam.
"Remote transactions for buying pharmaceuticals from Azerbaijan just should not happen," he says. "There is not a foolproof way to deal with it, but I would argue that it is the most cost effective way to deal with it."
Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.